Repository: incubator-sentry Updated Branches: refs/heads/branch-1.6.0 d4e6bbf7e -> 6aab61b33
SENTRY-841: Revoke on SERVER scope breaks Client API, allows any string to be passed in (Ryan P via Dapeng Sun, Reviewed by Colin Ma) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/6aab61b3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/6aab61b3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/6aab61b3 Branch: refs/heads/branch-1.6.0 Commit: 6aab61b33abcbcac825979831c2de63ce8837d32 Parents: d4e6bbf Author: Sun Dapeng <s...@apache.org> Authored: Sun Sep 6 09:17:25 2015 +0800 Committer: Sun Dapeng <s...@apache.org> Committed: Sun Sep 6 09:17:25 2015 +0800 ---------------------------------------------------------------------- .../thrift/SentryPolicyServiceClient.java | 3 +++ .../SentryPolicyServiceClientDefaultImpl.java | 7 +++++ .../thrift/TestSentryServiceIntegration.java | 28 ++++++++++++++++++++ 3 files changed, 38 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 3c2c7c6..cbc0aaf 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -113,6 +113,9 @@ public interface SentryPolicyServiceClient { public void revokeServerPrivilege(String requestorUserName, String roleName, String server, String action, Boolean grantOption) throws SentryUserException; + public void revokeServerPrivilege(String requestorUserName, String roleName, String server, + boolean grantOption) throws SentryUserException; + public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action) throws SentryUserException; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java index 4afe1b4..fe2fef7 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java @@ -497,6 +497,13 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption); } + public void revokeServerPrivilege(String requestorUserName, + String roleName, String server, boolean grantOption) + throws SentryUserException { + revokePrivilege(requestorUserName, roleName, + PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption); + } + public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action) throws SentryUserException { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 02c7535..0d35b7d 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -820,4 +820,32 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { }}); } + + /* SENTRY-841 */ + @Test + public void testGranRevokePrivilegeOnServerForRole() throws Exception { + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + String roleName1 = "admin_r1"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + + client.grantServerPrivilege(requestorUserName, roleName1, "server", false); + + Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*")); + + client.revokeServerPrivilege(requestorUserName, roleName1, "server", false); + listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0); + + }}); + } }
